<font size=2 face="sans-serif">I'm running an IKEv2 NAT-T test with Strongswan
4.5.0 behind a NAT</font>
<br>
<br>
<br><font size=2 face="sans-serif">Linux ------- NAT|
-------- initiator</font>
<br>
<br>
<br>
<br><font size=2 face="sans-serif">The IKE_SA_INIT and IKE_AUTH are sent
and received from the linux just fine. </font>
<br><font size=2 face="sans-serif">Strongswan detects the NAT in front
of itself and also returns the IKE_AUTH on src port 4500; dst port
4500 just fine.</font>
<br>
<br><font size=2 face="sans-serif">However, after that everything that's
sent from strongswan is w/ srcport 4500; dstport 500.</font>
<br><font size=2 face="sans-serif">That includes:</font>
<br><font size=2 face="sans-serif">- delete child_sa informational </font>
<br><font size=2 face="sans-serif">- any ESP packets that are sent in UDP
encap</font>
<br><font size=2 face="sans-serif">- any create_child_sa requests.</font>
<br>
<br>
<br><font size=2 face="sans-serif">If i take the same configuration and
initiate from strongswan the entire NAT exchange works including whatever
is sent after IKE_AUTH exchange. </font>
<br>
<br>
<br><font size=2 face="sans-serif">I'm not seeing where this is a configuration
issue, but might be missing something. </font>
<br>
<br>
<br>
<br><font size=2 face="sans-serif">traces from strongswan:</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[NET] received packet: from 10.10.110.204[500] to 9.5.149.53[500]</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[IKE] 10.10.110.204 is initiating an IKE_SA</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[IKE] local host is behind NAT, sending keep alives</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[IKE] sending cert request for "C=US, O=IBM, CN=BlackthumbCA"</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]</font>
<br><font size=2 face="Courier New">Apr 4 01:55:59 blackthumb charon:
16[NET] sending packet: from 9.5.149.53[500] to 10.10.110.204[500]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[NET] received packet: from 10.10.110.204[4500] to 9.5.149.53[4500]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[CFG] looking for peer configs matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[CFG] selected peer config 'strongswan-remotehost'</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[IKE] authentication of '10.10.110.204' with pre-shared key successful</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[IKE] authentication of '9.5.149.53' (myself) with pre-shared key</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[IKE] IKE_SA strongswan-remotehost[1] established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[IKE] scheduling reauthentication in 10181s</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[IKE] maximum IKE_SA lifetime 10721s</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[IKE] CHILD_SA strongswan-remotehost{1} established with SPIs ce28fab5_i
58db4f08_o and TS 9.5.149.53/32 === 10.10.110.204/32 </font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT)
]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:01 blackthumb charon:
01[NET] sending packet: from 9.5.149.53[4500] to 10.10.110.204[4500]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:12 blackthumb charon:
00[DMN] signal of type SIGINT received. Shutting down</font>
<br><font size=2 face="Courier New">Apr 4 01:56:12 blackthumb charon:
00[IKE] deleting IKE_SA strongswan-remotehost[1] between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:12 blackthumb charon:
00[IKE] sending DELETE for IKE_SA strongswan-remotehost[1]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:12 blackthumb charon:
00[ENC] generating INFORMATIONAL request 0 [ D ]</font>
<br><font size=2 face="Courier New">Apr 4 01:56:12 blackthumb charon:
00[NET] sending packet: from 9.5.149.53[4500] to 10.10.110.204[500]</font>
<br>
<br><font size=2 face="sans-serif"><br>
<br>
Dennis Frett<br>
</font>